Skip to main content
Assign a security team
Last update:

Assign a security team

carefully

We do not recommend configuring security groups on existing networks, as this can cause load balancer failures and disrupt cloud database replication. To avoid failures and data loss, to configure groups, create a new private network or public subnet and enable port security on it.:::

Port security must be enabled on the network. If filtering is enabled on the network, a default security group named default is assigned to the port when it is created . You can also specify a different security group when creating a port or server, and it will be assigned instead of the default group.

You can assign a security group:

In the control panel, you can only assign a group to an existing port.

Assign a security group when creating a port

  1. Open the OpenStack CLI.

  2. Create a port with a security group:

    openstack port create \
    --network <network> \
    --fixed-ip subnet=<subnet>,ip-address=<port_ip_address> \
    --security-group <security_group> \
    <port_name>

    Specify:

    • <network> — The ID or name of the network can be viewed with the command openstack network list. For a public subnet it is the same as the parameter <subnet>;
    • <subnet> — The ID or subnet name can be viewed with the command openstack subnet list;
    • <port_ip_address> — The IP address of the port;
    • <security_group> — The ID or name of the security group can be viewed with the command openstack security group list;
    • <port_name> — port name.
  3. Add a port to the server:

    openstack server add port <server> <port>

    Specify:

    • <server> — The ID or name of the cloud server can be viewed with the command openstack server list;
    • <port> — The ID or name of the port you created in step 2 can be viewed with the command openstack port list.

Assign a group to an existing cloud server port

carefully

Once a group is assigned on a port, all active sessions that do not conform to the group rules will be terminated.

  1. In the Control panel, on the top menu, click Products and select Cloud Servers.

  2. Open the server page → Ports tab.

  3. In the port card, in the Security Groups field, click .

  4. In the Security Groups field, check the groups you want to assign to the port, or click New Security Group and create a group.

  5. Click Save.

Assign a group when creating a server

The group will only be assigned to ports that are created with the server.

  1. Open the OpenStack CLI.

  2. Create a cloud server on the subnet by specifying a security group:

    openstack server create \
    [--image <image> | --volume <volume> | --snapshot <snapshot>] \
    --flavor <flavor> \
    --availability-zone <pool_segment> \
    --nic net-id=<net_uuid> \
    --security-group <security_group> \
    --key-name <key_name> \
    <server_name>

    Specify:

    • source type:

      • --image <image> — to create a server from off-the-shelf or custom image. Parameter <image> — ID or image name, can be viewed with the command openstack image list;
      • --volume <volume> — to create a server from network disk. Parameter <volume> — ID or disk name, can be viewed with the command openstack volume list;
      • --snapshot <snapshot> — to create a server from snapshot. Parameter <snapshot> — ID or name of the snapshot, can be viewed with the command openstack snapshot list;
    • <flavor> — The ID or name of the flavor. The flavors correspond to cloud server configurations and determine the number of vCPUs, RAM, and local disk size (optional) of the server. You can use fixed configuration flavors or create a flavor. For example, 4011 — ID to create a Memory Line fixed configuration server with 2 vCPUs, 16 GB RAM in a ru-9 pool. You can view the list of flavors using the command openstack flavor list or in the table List of fixed configuration flavors in all pools;

    • <pool_segment> — pool segment in which the cloud server will be created, e.g. ru-9a. The list of available pool segments can be found in the instructions. Availability matrices;

    • <net_uuid> — The ID of the private or public network to which the server will be connected can be viewed with the command openstack network list;

    • <key_name> — name of the service user's SSH key pair. If SSH keys have not been created, generate them. The list can be viewed with the command openstack keypair list;

    • <security_group> — The ID or name of the security group can be viewed with the command openstack security group list;

    • optional: --block-device-mapping vdb=<extra_volume> — to add an additional disk. Parameter <extra_volume> — ID or name of the extra disk, can be viewed using the openstack volume list command;

    • optional: --tag <tag_name> --os-compute-api-version 2.52 — tag to add additional information about the server. Parameter <tag_name> — tag name;

    • optional: --tag preemptible --os-compute-api-version 2.72 — tag to create an interruptible server;

    • optional: --user-data <user_data.file> — to specify the script to be executed at the first boot of the operating system. Parameter <user_data.file> — path to the script in Base64 encoding. Examples of scripts can be found in the User data instruction;

    • <server_name> — server name.